CVE-2022-50625

In the Linux kernel, the following vulnerability has been resolved:

serial: amba-pl011: avoid SBSA UART accessing DMACR register

Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART interface. Such generic UART does not support DMA. In current code, sbsauartpops and ambapl011pops share the same stoprx operation, which will invoke pl011dmarxstop, leading to an access of the DMACR register. This commit adds a usingrxdma check in pl011dmarx_stop to avoid the access to DMACR register for SBSA UARTs which does not support DMA.

When the kernel enables DMA engine with "CONFIGDMAENGINE=y", Linux SBSA PL011 driver will access PL011 DMACR register in some functions. For most real SBSA Pl011 hardware implementations, the DMACR write behaviour will be ignored. So these DMACR operations will not cause obvious problems. But for some virtual SBSA PL011 hardware, like Xen virtual SBSA PL011 (vpl011) device, the behaviour might be different. Xen vpl011 emulation will inject a data abort to guest, when guest is accessing an unimplemented UART register. As Xen VPL011 is SBSA compatible, it will not implement DMACR register. So when Linux SBSA PL011 driver access DMACR register, it will get an unhandled data abort fault and the application will get a segmentation fault: Unhandled fault at 0xffffffc00944d048 Mem abort info: ESR = 0x96000000 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x00: ttbr address size fault Data abort info: ISV = 0, ISS = 0x00000000 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 [ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP ... Call trace: pl011stoprx+0x70/0x80 ttyportshutdown+0x7c/0xb4 ttyportclose+0x60/0xcc uartclose+0x34/0x8c ttyrelease+0x144/0x4c0 __fput+0x78/0x220 ___fput+0x1c/0x30 taskworkrun+0x88/0xc0 donotifyresume+0x8d0/0x123c el0svc+0xa8/0xc0 el0t64synchandler+0xa4/0x130 el0t64sync+0x1a0/0x1a4 Code: b9000083 b901f001 794038a0 8b000042 (b9000041) ---[ end trace 83dd93df15c3216f ]--- note: bootlogd[132] exited with preemptcount 1 /etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon

This has been discussed in the Xen community, and we think it should fix this in Linux. See [2] for more information.

[1] https://developer.arm.com/documentation/den0094/c/?lang=en [2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html